Crimeware Protection Whitepaper
Intel® Core™ vPro™ Processors
Monitoring, Reporting, and Remediation with Intel® vPro™ Technology
Detecting a threat, notifying the IT management system of it, and restoring data and user productivity can be a time-consuming and costly process. The longer the time passed, the greater the potential cost of the threat.
Intel embedded security technologies and Intel® Active Management1 Technology (Intel® AMT) help maximize IT’s awareness, control, and response, while minimizing the costs of remediation and management. These technologies are part of business clients based on the Intel Core vPro processor family, enabling the following capabilities:
- On laptops, automated threat detection and lockdown – sometimes even before the user realizes it – threat reporting, and remote remediation when the device is recovered.
- Remote inventorying of hardware and software to ensure all security software and databases are up-to-date.
- Automated downloads to the client and updates of critical software, even during off-hours, whether or not the system is powered on.2
- Automated detection of critical, running security agents and notification when discovered missing or not active.
- Automatic network traffic filtering and disconnection in response to a threat.
- Remote access to business clients, with complete control over the system as if the technician was sitting in front of it.
Monitoring and Prevention
Every business client based on a Intel Core vPro processor maintains a high level of its situational awareness with constant health monitoring, hardware and software inventories, and appropriate responses to any detected irregularities.
Prevention is Better than Remediation
Detecting and avoiding potential risk is easier and less costly than remediating an actual one. That’s why business clients with Intel Core vPro processors take periodic inventories of hardware and software, monitor their own health, and report irregularities.
These business clients keep records in non-volatile memory of all monitored activities and conditions, where IT personnel – or the automated console – can retrieve the information. Software inventories can be checked for currency and risk, and automatic updates scheduled accordingly – either immediately for high risk or during off-hours for lower risk applications. Known at-risk firmware can be remotely updated, and hardware can be flagged for upgrades or replacement as necessary. Prevention keeps costs down, and knowledge of every PC’s assets empowers IT to make efficient, informed, and intelligent decisions about how to manage its fleet of business clients.
Constantly Vigilant – Automatic Monitoring and Reporting of Critical Agent Presence
Some IT central management systems poll remote clients over the network for the presence of running, critical security agents, like antivirus and encryption software. Typically, the agents are present and active, meaning no threat is detected, but the request uses valuable network bandwidth for a positive report. And critical monitoring is interrupted if a network connection is unavailable, as with a laptop on the move.
Business clients with Intel AMT contain self-polling agents embedded in the system; these agents monitor and record the presence of critical software. The results of all polls are stored on the system in non-volatile memory for remote access at any time by IT.
If the necessary software does not report correctly, Intel AMT can contact the management console to notify IT and respond according to IT policies. By self-monitoring instead of responding to network polls, the client is continuously protected, regardless of network access, and does not take up bandwidth when the system is operating normally. Automated monitoring without direct IT intervention results in better protection at lower cost.
Containing Contagions – Automatic Network Monitoring and Response
Business clients based on Intel Core vPro processors protect themselves against many types of intrusion vectors, including monitoring network traffic. This level of monitoring and protection is handled in the hardware, by the network adapter, not running software, which can be potentially corrupted.
IT can define network filters that trigger a security response to protect both the client and the corporate assets on the network. Network threat detection includes the following methods:
- The type of traffic coming through the network adapter to protect against threats embedded in data.
- The rate of the activity (in desktop clients) to protect against distributed denial of service (DDoS) attacks.
When the system detects a threat, it immediately responds by isolating itself from the network to prevent the spreading of a contagion, or further participating in a DDoS attack. Network disconnection is handled by the network adapter, not the operating system’s network stack, to ensure the isolation is secured in hardware, beyond the reach of potentially invading stealthy crimeware.
The out-of-band remediation channel remains open for IT to remotely manage the system and restore it to service.
Staying Put – Minimizing Costs through Remote Remediation
According to industry studies, deskside and service-center calls make up only a small percent of PC problems in a typical business, but they take up the majority of the budget. When a visit is the result of an active threat, costs have already accumulated. Remote remediation minimizes the costs related to visits, and helps quickly return an employee back to productivity.
Intel AMT with KVM Remote Control put3 IT personnel in the driver’s seat – literally – with full remote control of a business client to enable the following capabilities:
- Remote/redirected boot – reboot to a clean state or redirect the boot device to a clean local or remote image, a diagnostics or remediation server, or other device.
- Serial-Over-LAN (SOL) console redirection to control the keyboard outside of the OS to perform tasks, such as editing BIOS settings from the service center—without user participation.
- Access asset information anytime, to identify “missing” or failed hardware components, and verify software version information.
- Guide a PC through a troubleshooting session without requiring user participation—even for complex issues such as BIOS issues, blue-screens, freezes, patch failures, and other “edge” software issues.
- Watch as BIOS, drivers, and the OS attempt to load, to identify problems with the boot process.
- Update BIOS settings, identify BIOS versions, or push a new BIOS version to the PC to resolve a particular problem.
- Upload the persistent event log from non-volatile memory to identify the sequence of events (such as temperature spikes or an unauthorized software download) that occurred before the system failed.
- Restore an OS by pushing new copies of missing or corrupted files, such as .DLL files.
- Rebuild or upgrade the OS or fully reimage the hard drive remotely.
Hardware-based technologies help automate and simplify protection and remediation, thus reducing costs.
While today’s cyber-criminals use new stealthy techniques for targeted attacks on companies and organizations, business clients based on Intel Core vPro processors help thwart these threats with built-in, hardware-based security technologies. These Intel technologies work below the OS and provide hardware assistance to advanced security agents beyond the OS.
- Intel OS Guard, Intel TXT, and Intel VT help IT manage threats by preventing malware from invading below the OS.
- Intel IPT with PKI, Intel IPT with OPT, and Intel IPT with Protected Transaction Display help prevent identity theft using hardware-based security with software-based convenience and remediation response.
- Intel AES-NI and Intel Secure Key enable safer, faster encryption.
- Intel AT protects laptops and their data on the go.
- Intel® vPro Technology4 helps reduce the effort and cost of threat prevention and remediation.
All these built-in technologies, available only in systems based on Intel Core vPro processors, help keep companies and their data safer by protecting data and networks against today’s advanced persistent threats and targeted attacks. For more information, see www.intel.com/vpro.
1. Security features enabled by Intel® Active Management Technology (AMT) require an enabled chipset, network hardware and software and a corporate network connection. Intel AMT may not be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Setup requires configuration and may require scripting with the management console or further integration into existing security frameworks, and modifications or implementation of new business processes. For more information, visit http://www.intel.com/technology/manage/iamt.
2. Systems using Client Initiated Remote Access (CIRA) require wired or wireless LAN connectivity and may not be available in public hot spots or “click to accept” locations.
3. KVM Remote Control (Keyboard Video Mouse) is only available with Intel® Core™ i5 vPro™ processors and Core™ i7 vPro™ processors with active processor graphics. Discrete graphics are not supported.
4. Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro/.